CC BY
2
7. ГОСТ 34.13-2018. Информационная технология. Криптографическая защита информации. Режимы работы блочных шифров. М.: Стандартинформ, 2018.
8. Р 1323565.1.017-2018. Информационная технология. Криптографическая защита информации. Криптографические алгоритмы, сопутствующие применению алгоритмов блочного шифрования. М.: Стандартинформ, 2018.
9. Ahmetzyanova L. R., Alekseev Е. К., SedovG.K., et al. Practical significance of security bounds for standardized internally re-keved block cipher modes // Математические вопросы криптографии. 2019. Т. 10. №2. С. 31-46.
10. Dworkin М. NIST SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. Technical Report. Gaithersburg, MD, United States, 2007.
UDC 519.719.2 DOI 10.17223/2226308X/16/28
PUBLIC KEYS FOR E-COINS: PARTIALLY SOLVED PROBLEM USING SIGNATURE WITH RERANDOMIZABLE KEYS
A. A. Babueva, S. N. Kvazhin
We give an example of an existing cryptographic mechanism that can be considered as a partial solution to the problem "Public keys for e-coins" proposed at the International Olympiad in Cryptography NSUCRYPTO'2022. This mechanism is used with the class of signatures with rerandomizable keys and provides one of the two security properties required by the authors of the problem. The results of this paper contain a systematic description of security models that can be used to analyze signature with rerandomizable keys, which is of independent interest.
Keywords: public key derivation, signature with rerandomizable keys, related key attack, BIP32, NSUCRYPTO.
1. Introduction
The unsolved problem «Publie keys for e-eoins» [1] was given as one of the tasks at the International Olympiad in Cryptography NSUCEYPTO'2022. The problem is to propose a way to calculate the public keys pk^ ..., pkn (corresponding to the private keys sk^ ..., skn), which can be used to verify the transaction authenticity, based on a single master key pk0 (i.e., public key derivation scheme): pk = f(pki-1,T), i = 1,... ,n. The proposed method, according to the requirements proposed by the authors of the problem, should provide the following security properties:
1) knowing pk0, ^d T, it is impossible to find any private key ski; i = 1,..., n;
2) it is impossible to recover ski; if the secret keys sk1,...,ski-1,ski+1,...,skn are known.
However, in general, such requirements are not enough for key derivation, since the security of the mechanisms used to authenticate transaction is often analyzed under the assumption of a random and independent key selection. The solution is to analyze the joint security of such mechanism and key derivation process. The influence of key derivation on the mechanism used for the transaction authenticity can be described with a well-known type of attacks: related key attacks [2].
The problem does not limit the mechanism that is used to authenticate the transaction, however, signature schemes are most often used for this purpose. In this paper, we describe the interface of a modified signature scheme (the so-called signature with rerandomizable keys), and also systematize security models for its analysis. All the models considered
describe a stronger property compared to the property 1, In addition, we give an example of the existing public key derivation mechanism for the ECDSA signature scheme [3] described in Bitcoin Information Proposal BIP32 [4], as well as the results of the ECDSA security analysis in one of the described models,
2. Signature with rerandomizable keys
Let's describe the interface of the modified signature scheme using the standard signature scheme interface. We adopt the definition of signature with rerandomizable keys from [5, 6],
Definition 1. A signature Sig is a tuple of the following algorithms:
— Sig.Gen is the probabilistic key generation algorithm, takes as input public parameters par, returns a pair (sk, pk) of secret and public keys;
— Sig.Sign is the probabilistic signing algorithm, takes as input a secret key sk and a message m, returns a signature a;
— Sig.Verify is the deterministic verification algorithm, takes as input a public key pk, a signature a, and a message m, returns 1 (accept) or 0 (reject).
Definition 2. A signature with rerandomizable keys RSig is a tuple of the following algorithms:
— RSig.Gen, RSig.Sign, RSig.Verify are the algorithms as defined above;
— RSig.RandSK is the probabilistic secret key rerandomization algorithm, takes as input a secret key sk and randomness p e Q, returns a rerandomized seeret key sk';
— RSig.RandPK is the probabilistic public key rerandomization algorithm, takes as input a public key pk and randomness p e Q, returns a rerandomized public key pk'.
Remark 1. The public key derivation mechanism defines the mechanism for generating p values and is not part of the RSig,
Remark 2. In general, the Q set from which the p values can be selected is limited. But we did not include this in the system interface due to a remark 1,
3. Security models for signature with rerandomizable keys
The standard security requirement for the signature scheme is the unforgeabilitv property which is formalized by UF-CMA notion [7]. The adversary is allowed to obtain the signatures for adaptivelv chosen messages. It's task is to provide a forgery, i.e., (signature, message) pair which is correct and non-trivial.
The rerandomizable key usage expands the ways to define both the type of attack and the threat. In the current section we provide the survey of the known security models for such class of signature schemes.
The attack. The adversary is allowed to obtain the signatures computed not only with the original secret signing key sk, but also with the modified keys produced by RandSK algorithm.
We define two types of attack depending on which keys can be queried for the signatures:
pQ
— keys produced with the randomness honestly chosen by the challenger during the game processing. The ability of the adversary to know these randomness values is captured by the access to the Rand oracle.
Further we differ these types of attack in the model name by RKA (Related Key Attack) and KRKA (Known Related Key Attack) respectively. Clearly, first type of attack is stronger, i.e., the security in *-RKA model implies the security in *-KRKA model.
The threat. One way to define the threat is to do it similarly to the standard UF-CMA notion, i.e., making the forgery (m*, a*) for the original public key pk. The only ambiguity here is defining the triviality of the forgery.
We define two types of threat depending on the forgery for which message should be
done for winning the game: m*
m* sk
Further we differ these types of threat in the model name by wUF (weak UnForgeability) and UF (UnForgeability) respectively. Clearly, first type of threat is stronger (the model is weaker), i.e., the security in UF-* model implies the security in wUF-* model.
The formal definition of the corresponding security models is presented in Fig, 1, Here, the basic UF-CM-RKA model is defined by black color, it was introduced in |2|, The modification of this model by adding blue color strings defines the UF-CM-KRKA model |7|, and by adding red color strings — wUF-CM-RKA model |8|, Finally, all strings together form the wUF-CM-KRKA model.
ExpRsSg
w UF-CM-KRKA
(A)
(sk, pk)
,
RSig.Gen( )
(m*,a*) £ ASign'Rand(pk) if m* G L : return 0 res £ RSig.'Verify (pk, m*, a*) return res
Oracle Sign(p, m)
i: if (p/ fi)V(p/ R): 2 : return ±
sk' £ RSig.RandSK(sk, p) a £ RSig.Sign(sk', m) if (sk' = sk)V(sk' = sk): a: L^Lujm} : return a
Oracle Rand( )
U n p \i
R^RUjpj return p
Fig. 1. UF-CM-RKA, UF-CM-KRKA, wUF-CM-RKA, wUF-CM-KRKA models definition
Another way to define the threat is to allow the adversary to make the forgery for any public key, not only the original key pk. In this case, the adversary returns the triple (p*,m*,a*), where p* defines the public key pk* for which the forgery is made. The randomness p* should belong to the set Q or should be obtained as a result of query to the Rand oracle (depending on RKA or KRKA attack type). Following the paper [7], we refer to the models with such definition of the threat by adding "s" (strong) before the attack type. Clearly, such models are stronger then the corresponding models without "s", i.e., the security in *-sRKA (*-sKRKA) model implies the security in *-RKA (*-KRKA) model.
Similarly to the previous models, there are two possible ways to determine the triviality of the forgery:
— pair (p*, m*) should be fresh, i.e., should not be queried to the Sign oracle (UF-* model);
— message m* should be fresh, i.e., should not be qu eried to the Sign oracle (wUF-* model).
The formal definition of the corresponding security models is presented in Fig. 2. Here, the basic UF-CM-sRKA model is defined by black color, it was introduced in |2|, The modification of this model by adding blue color strings defines the UF-CM-sKRKA
model |7|, and by adding red color strings — wUF-CM-sRKA model |6|, Finally, all strings together form the wUF-CM-sKRKA model |5|,
ExpRSig
wUF-CM-sKRKA
(A)
Oracle Sign(p, m)
(sk, pk) <- RSig.Gen()
L, R^ 0
(p*,m*,a*) <- ASifln,Rand(pk) if (p* / Q)V(p* / R):
return ± if ((p*,m*) G L)V((-,m*) G L) :
return 0 pk* ^ RSig.RandPK(pk, p*) res ^ RSig.Verify(pk*, m*, a*) return res
1 : if (p / Q)V(p / R):
2 : return ± sk' ^ RSig.RandSK(sk, p) a ^ RSig.Sign(sk', m) L^LU {(p, m)} return a
Oracle Rand( )
n
p S2
RbRU{p} return p
Fig. 2. UF-CM-sRKA, UF-CM-sKRKA, wUF-CM-sRKA, wUF-CM-sKRKA models definition
4. BIP32 scheme and its security
Let P be the generator of the elliptic curve point group, (sk, pk = skP) — the ECDSA signature key pair, X —the HMAC [9] key.
The scheme described in BIP32 assumes the use of signature with rerandomizable keys based on ECDSA, where
RSig.RandSK(sk, p) = sk + p, RSig.RandPK(pk, p) = pk + pP,
and the mechanism for generating p based on the algorithm HMAC.
Denote bv HMAQ/2(X, m) a function that returns the left //2 bits of the /-bit result of the function HMAC(X, m). For simplicity, we will further omit the functions of converting a bit string into a group element and vice versa.
The mechanism of generating pi; used to calculate the zth key pair (skj, pkj, i = 1,..., n, from the key pair (sk0, pk0 = sk0P), is defined by the following function:
pi = HMACi/2(X, pko||i).
Thus, in terms of the original problem, the key K plays the role of an parameter T, and the function f is represented as follows:
pki = f (pk^, K) = pkj-1 + HMACi/2(K, pko||i)P - HMACi/2(K, pko|i - 1)P.
Among the models described in the section 3, the UF-CM-sKRKA model seems relevant for analyzing this scheme, because:
— an actual threat is forgery with respect to at least one key pki; i e {i,..., n} (strong threat is relevant);
— the adversary has the capability to get the p values, only calculated using the HMAC function (known related key attack is relevant).
The paper |7| shows that the ECDSA signature with rerandomizabe keys is secure in this model.
5. Conclusion
In this paper, we give an example of an existing cryptographic mechanism that can be considered as a partial solution to the problem "Public keys for e-eoins" proposed at the International Olympiad in Cryptography NSUCRYPTO'2022, This mechanism is used with the class of signatures with rerandomizable keys and provides one of the two security properties required by the authors of the problem. The existence of mechanisms with the second property remains (hopefully temporarily) an unsolved problem.
The results of this paper contain a systematic description of security models that can be used to analyze signature with rerandomizable keys, which is of independent interest,
REFERENCES
1. Problem 10. "Public keys for e-coins". International Olympiad in Cryptography NSU-CRYPTO'2022. https: //nsucrypto.nsu.ru/archive/2022/round/2/section/0/task/10/.
2. Bellare M., CashD., and Miller R. Cryptography secure against related-key attacks and tampering. LNCS, 2011, vol.7073, pp.486-503.
3. FIPS 186-5. Digital Signature Standard, https://csrc.nist.gov/publications/detail/ fips/186/5/final.
4. BIP 32. Hierarchical Deterministic Wallets, https://github.com/bitcoin/bips/blob/ master/bip-0032.mediawiki.
5. Das P., Faust S., and Loss J. A formal treatment of deterministic wallets. Proc. ACM SIGSAC Conf. CCS'19, N.Y., ACM, 2019, pp. 651-668.
6. Fleischhacker N., Krupp J., Malavolta G., et al. Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys. LNCS, 2016, vol.9614, pp. 310-330.
7. Yuen Y. H. and Yiu S. M. Strong known related-key attacks and the security of ECDSA. LNCS, 2019, vol. 11928, pp. 130-145.
8. Morita H., Schuldt J. C. N., Matsuda T., et al. On the security of the Schnorr signature scheme and DSA against related-key attacks. LNCS, 2016, vol.9558, pp.20-35.
9. Bellare M., CanettiR., and Krawczyk H. Keying hash functions for message authentication. LNCS, 1996, vol. 1109, pp. 1-15.
UDC 519.7 DOI 10.17223/2226308X/16/29
EFFICIENT MATRIX MULTIPLICATION FOR CRYPTOGRAPHY
2
S. Pal
WITH A COMPANION MATRIX OVER Fo1
A number of schemes in cryptography and other allied areas require operations on matrices that are computationally expensive. However, the computational load due to standard operations like multiplication can be drastically reduced by the choice of special matrices. One such special matrix is the companion matrix of a monic polynomial of degree n over a finite field. Due to its cyclic structure and sparseness property, such a matrix not only helps us to reduce the complexity of matrix multiplication but also can be applied for cryptographic purposes. In this paper, an algorithm is proposed for the multiplication of an arbitrary matrix with a companion matrix over a finite field of order p. In our algorithm, we not only reduce the complexity but also minimize the number of multiplication operations as much as possible. The complexity of multiplication of any n x n matrix with a companion
1The work was supported by the Mathematical Center in Akademgorodok under the agreement No. 07515-2022-282 with the Ministry of Science and Higher Education of the Russian Federation.
